NSA uses cookies to watch you online

The role of Google – which has developed into an Internet giant whose services 100s of millions of people around the world use every day – has once again been called into question after it emerged that the NSA (and, by implication, GCHQ) has been using cookies to track those Internet users in whom it is interested.

The revelation emerged after the latest batch of documents from former NSA contractor Edward Snowden were released this week, with the NSA using a Google-specific tracking mechanism known as `PREF' that allows a Web site to identify a user's computer using its browser digital fingerprint.

According to the Washington Post, once the user's digital fingerprint has been spotted a cookie is used that allows the NSA and GCHQ's servers to send custom coded software designed to hack the user's computer.

Snowden's documents suggest that Google is aware of this practice, although the company has refused comment on the story.

A cookie is a small piece of data sent from a Web site and stored in a user's Web browser whilst that user is browsing the site pages. Then, each time the user loads the site up, the browser sends the cookie back to the server to notify the site's servers of the user's previous activity.

It was this issue that caused US and EU legislators back in 2011 to implement protective rules designed to protect Internet users and their identities. In May of that year, the EU mandated that “explicit consent" must be gathered from Web users who are being tracked via cookies.

Under the European e-Privacy directive – which became law on May 25th that year – the cookie element was drawn up in an attempt to protect user privacy and, in particular, limit how much use could be made of behavioural advertising.

Edward Snowden's latest materials include a number of slides that suggest that the NSA is using cookie-based tracking techniques to help identify targets for offensive hacking operations.

According to the Washington Post, for years, privacy advocates have raised concerns about the use of commercial tracking tools to identify and target consumers with advertisements.

“The revelation that the NSA is piggybacking on these commercial technologies could shift that debate, handing privacy advocates a new argument for reining in commercial surveillance,” says the paper.

Snowden's slides suggest that the cookies are used to "enable remote exploitation," although – as the Washington Post observes - the specific attacks used by the NSA against targets are not addressed in these documents.

SCMagazineUK.com notes that it is important to understand that the cookie is only one element in the NSA's arsenal of tracking technology, and merely allows the NSA's servers to automatically identify a user's PC when it accesses a given Web site – in much the same way that Government agencies request banks to alert them if a suspect's credit or debit card is used to make a purchase.

Although Google has refused comment on the Washington Post report, the paper quotes Chris Hoofnagle, a lecturer at the University of California's School of Law in Berkley, California, as saying that the statement `we need to track everyone everywhere for advertising' translates into 'the government being able to track everyone everywhere.'

It is, he told the paper, hard to avoid.

“The NSA declined to comment on the specific tactics outlined in this story, but an NSA spokesman sent [the Washington Post] a statement: `As we've said before, NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign adversaries and prevent them from bringing harm to innocent Americans'.”

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.